Skillv1.0.0

ClawScan security

Decision Framework · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:47 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with a decision-framework helper: no unrelated credentials, no network installs, and the included script is a small local calculator — nothing indicates hidden or disproportionate behavior.
Guidance: This skill appears coherent and implements what it claims: decision frameworks plus a small local Python helper for weighted scoring. Before installing, consider: (1) The included Python script runs locally — review it (done here) and it's a simple calculator that only processes command-line inputs. (2) The skill will handle whatever decision text you provide, so avoid pasting highly sensitive credentials or secrets into prompts. (3) If you plan to let the agent execute the script automatically, run it in a sandbox or environment you control (standard caution). If additional files were added that perform network calls, downloads, or request credentials, re-evaluate because that would change the assessment.

Review Dimensions

Purpose & Capability: okThe name/description (decision frameworks: SWOT, 10-10-10, decision tree, weighted scoring, Eisenhower) align with the SKILL.md and included files. The single script (weighted-scoring.py) directly supports the '加权打分' feature. There are no declared environment variables, binaries, or config paths that are unrelated to the stated purpose.
Instruction Scope: okSKILL.md instructs the agent to ask the user for decision context, gather options/weights/probabilities, and produce structured outputs (tables, trees, insights). It references only local resources (the included script and reference docs). There are no instructions to read arbitrary system files, access environment variables, or send data to external endpoints.
Install Mechanism: okNo install specification is provided (instruction-only-style). The repository contains one small, local Python script; there are no downloads, external package installs, or extracted archives. Because nothing is fetched from the network during install, risk is low.
Credentials: okThe skill declares no required environment variables or credentials. The SKILL.md and code do not reference secrets or unrelated services. The Python script accepts only command-line inputs (dimensions/options) and produces a markdown table — no credential access or external integrations are present.
Persistence & Privilege: okalways:false and normal agent invocation settings. The skill does not request permanent presence, does not modify other skills' configs, and does not ask to store credentials. No elevated privileges are requested.